Home Security Average data breach costs fall globally, study finds
Average data breach costs fall globally, study finds Featured

The average costs of a data breach for some Australian organisations have fallen 5% to A$2.51 million, down from A$2.64 million, compared to an average decrease in costs globally of 10%, according to a new report.

The report from IBM and the Ponemon Institute revealed that the average cost of a data breach globally fell to US$3.62 million, a 10% decline from 2016 results – the first time there has been an overall decrease in the cost since the global study began.

And, in Australia the average cost per lost or stolen record for Australian organisations was A$139, a 2.1% decrease.

In addition, in Australia lost business costs — turnover of customers, increased acquisition activities, reputation losses and diminished goodwill — decreased from A$840,000 to A$790,000 this year.

The study shows that the reasons for decreasing costs in Australia included a  reduction in the number of stolen or lost records — a decrease of 5.8% — and improvements in organisations’ ability to retain customers following a data breach.

It is also revealed that abnormal churn (the greater-than-expected loss of customers) decreased by 5.3%.

But, according to the study, certain industries in Australia have higher data breach costs:

  • Financial services, services and technology companies tend to have higher per capita cost than the average cost of $139. For example, financial services can cost as much as A$232.
  • Companies in public sector, transportation and retail had a per capita cost significantly below, and experience lower rates of churn.

And the root cause of data breaches, and the cost, in Australia, included 48% driven from malicious or criminal attacks with the cost of remediation at A$154,  28% of incidents involving negligent employee or contractors, at A$130 cost – and  24% due to system glitches, at A$121.

On average, the study shows that Australian organisations took more than 5 months, 175 days to detect that an incident occurred, 16 days quicker than the global average.

IBM cautions that the speed of response to a security breach affects costs significantly.

It says that the faster companies can identify and contain the breach, the lower the breach costs – and if the mean time to identify was less than 100 days, organisations could save 35% (US$1.96 million v US$3.05 million).

The study showed that the most profitable investment that Australian organisations made to reduce costs of a data breach included:

  • Extensive use of encryption
  • Having an incident response team in place
  • Employee training
  • CISO appointed
  • Participation in threat sharing

Globally, IBM says, when analysing the 11 countries and two regions surveyed in the report, it identified a close correlation between the response to regulatory requirements in Europe and the overall cost of a data breach.

European countries saw a 26% decrease in the total cost of a data breach over last year’s study.

IBM notes that businesses in Europe operate in a more centralised regulatory environment, while businesses in the United States have unique requirements, with 48 of 50 states having their own data breach laws.

“Responding to a multitude of regulatory requirements and reporting to potentially millions of consumers can be an extremely costly and resource intensive task,” IBM says.

According to the study “compliance failures” and “rushing to notify” were among the top five reasons the cost of a breach rose in the US market.

IBM says a comparison of these factors suggests that regulatory activities in the US could cost businesses more per record when compared to Europe.

“For example, compliance failures cost US businesses 48% more than European companies, while rushing to notify cost US businesses 50% more than European companies.

Additionally, US companies reported paying over $690,000 on average for notification costs related to a breach, more than double the amount of any other country surveyed in the report.

“New regulatory requirements like GDPR in Europe pose a challenge and an opportunity for businesses seeking to better manage their response to data breaches,” says Wendi Whitmore, global lead, IBM X-Force Incident Response and Intelligence Services.

“Quickly identifying what has happened, what the attacker has access to, and how to contain and remove their access is more important than ever. With that in mind, having a comprehensive incident response plan in place is critical, so when an organisation experiences an incident, they can respond quickly and effectively.”

Despite the average overall cost of a data breach decreasing by 10% globally to US$3.62 million, IBM says the cost was not down everywhere.  The cost of a data breach in the US was US$7.35 million, a 5% increase compared to last year.

But, the US wasn’t the only country to experience increased costs in 2017:

  •     Organisations in the Middle East, Japan, South Africa, and India all experienced increased costs in 2017 compared to the four-year average costs.
  •     Germany, France, Italy and the UK experienced significant decreases compared to the four-year average costs. And, along with Australia, Canada and Brazil also experienced decreased costs compared to the four-year average cost of a data breach.

When compared to other regions, US organisations experienced the most expensive data breaches:

  •     In the Middle East, organisations saw the second highest average cost of a data breach at US$4.94 million – more than a 10% increase over the previous year.
  •     Canada was the third most expensive country for data breaches, costing organisations an average of US$4.31 million. 
  •     In Brazil data breaches were the least expensive overall, costing companies only US$1.52 million.

For the third year in a row, the study found that having an Incident Response (IR) team in place significantly reduced the cost of a data breach, saving more than US$19 per lost or stolen record.

The study also showed that the speed at which a breach can be identified and contained is in large part due to the use of an IR team and having a formal Incident Response plan.

IR teams can assist organisations to navigate the complicated aspects of containing a data breach to mitigate further losses,” the study notes.

Additional key findings from the 2017 cost of a data breach report are:
    By industry, healthcare breaches most costly: For the seventh year in a row, healthcare has topped the list as the most expensive industry for data breaches. Healthcare data breaches cost organisations US$380 per record, more than 2.5 times the global average across industries (US$141 per record.)

    Top factors increasing cost of a breach: The involvement of third-parties in a data breach was the top contributing factor that led to an increase in the cost of a data breach, increasing the cost US$17 per record. Organisations need to evaluate the security posture of their third-party providers – from payroll to cloud providers to CRM – to ensure the security of employee and customer data.

    Top factors reducing cost of a breach: Incident response, encryption and education were the factors shown to have the most impact on reducing the cost of a data breach. Having an incident response team in place resulted in US$19 reduction in cost per lost or stolen record, followed by extensive use of encryption (US$16 reduction per record) and employee training (US$12.50 reduction per record).

    Positive impact of resiliency orchestration: Business continuity programmes are significantly reducing the cost of a data breach. The overall average data breach cost per day is estimated at US$5064 in this year’s study. Companies that have a manually operated Disaster Recovery process experienced an estimated average cost of US$6101 per day. In contrast, companies deploying an automated Disaster Recovery process that provides resiliency orchestration experienced a much lower average cost per day of US$4041. This represents a net difference of 39% (or a cost savings of US$1969 per day).


Site24x7 Seminars

Deliver Better User Experience in Today's Era of Digital Transformation

Some IT problems are better solved from the cloud

Join us as we discuss how DevOps in combination with AIOps can assure a seamless user experience, and assist you in monitoring all your individual IT components—including your websites, services, network infrastructure, and private or public clouds—from a single, cloud-based dashboard.

Sydney 7th May 2019

Melbourne 09 May 2019

Don’t miss out! Register Today!



Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips


Peter Dinham

Peter Dinham is a co-founder of iTWire and a 35-year veteran journalist and corporate communications consultant. He has worked as a journalist in all forms of media – newspapers/magazines, radio, television, press agency and now, online – including with the Canberra Times, The Examiner (Tasmania), the ABC and AAP-Reuters. As a freelance journalist he also had articles published in Australian and overseas magazines. He worked in the corporate communications/public relations sector, in-house with an airline, and as a senior executive in Australia of the world’s largest communications consultancy, Burson-Marsteller. He also ran his own communications consultancy and was a co-founder in Australia of the global photographic agency, the Image Bank (now Getty Images).


Popular News




Guest Opinion


Sponsored News